Acasă Explorează Ajutor
Autentificare
PUBLIC_REPOS
/
buildroot
oglindă de git://git.buildroot.net/buildroot
2
1
Bifurcare 0
Fisiere
Răsfoiți Sursa

package/refpolicy: add config option for "enableaudit"

SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.

The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.

This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fiona Klute 3 luni în urmă
părinte
b9d3a0418b
comite
ee984e116a
2 a modificat fișierele cu 19 adăugiri și 0 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 12 0
      package/refpolicy/Config.in
  2. 7 0
      package/refpolicy/refpolicy.mk

+ 12 - 0
package/refpolicy/Config.in
Vizualizați fișierul 

@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 
 endif
 
 
+config BR2_REFPOLICY_ENABLEAUDIT
 
+	bool "remove dontaudit rules from policy (debugging only)"
 
+	help
 
+	  Remove dontaudit rules from policy.conf before compiling the
 
+	  policy. This can be useful for debugging to see "denied"
 
+	  audit log messages that would otherwise be hidden, which
 
+	  show the cause of problems.
 
+
 
+	  Warning: This option will likely produce a high rate of
 
+	  audit log messages, and should be enabled only for
 
+	  debugging.
 
+
 
 endif
 
 
 comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"

+ 7 - 0
package/refpolicy/refpolicy.mk
Vizualizați fișierul 

@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
 
 endef
 
 endif
 
 
+ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
 
+define REFPOLICY_CONFIGURE_ENABLEAUDIT
 
+	$(REFPOLICY_MAKE) -C $(@D) enableaudit
 
+endef
 
+endif
 
+
 
 define REFPOLICY_CONFIGURE_CMDS
 
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 
 		$(@D)/build.conf
 
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
 
 		$(REFPOLICY_COPY_EXTRA_MODULES)
 
 	)
 
 	$(REFPOLICY_MAKE) -C $(@D) bare conf
 
+	$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
 
 	$(REFPOLICY_CONFIGURE_MODULES)
 
 endef